Comment by WA

7 months ago

Vlad is not discussing, he is lecturing. The author of the blog post seems right. Vlad defends his position "lol email is not PII" repeatedly, despite being obviously and completely wrong. He has no understanding that it doesn't matter that a user could enter fake information.

His business collects email addresses, which is a process. Under GDPR, this process must be documented, users must be given their data on request (even if it just contains an email address, but usually it also contains the signup date for example as a proof for their data processing consent) and users must be informed about their rights to correct or delete such data.

He comes off totally as the "trust me bro" guy with zero respect for a different perspective and doesn't seem to be interested in changing his (objectively wrong) opinion. It is almost laughable, because "is email PII" has been discussed a million times since the introduction of the GDPR that you must've lived under a rock to dismiss it like Vlad did.

he explicitly said in his email that "Personal emails are PII.", so how is that a defence of his previous position?

  • It does not matter in this context, because it is still incorrect.

    > Personal emails are PII. But you can register to Kagi with a random email, and that is not PII.

    Company has no means to identify what is the difference between personal or random email. Everything can be and must be treated equally from privacy perspective.

  • I re-read again. You are right, he says "personal emails are PII" in this email. In the original post however he dismisses the whole GDPR data request process as "we don't need this, because you can provide fake data".

    Point is: if the business requests an email address, many people will provide their real email adress and your business needs to document this process under GDPR. I just checked. The signup form doesn't say "please give a FAKE email address", it just says "email address".

    If a user provides a real email address, Kagi must respond to GDPR Art. 15 requests by providing...that same email adress. Might sound silly, but usually, there is other data associated with this. Usually, at least the timestamp of the signup. If a business is really GDPR compliant, it will offer a download option for stuff like user settings and so on.

    Or, if the user signed up and later deleted the account, his email should explicitly NOT show up when asking for personal data.

    See, it is about documenting the process, whether the outcome is "here is your email address you just asked for" or "we don't have any data on you". And Vlad says that this process is irrelevant for Kagi, while it is not.

    • It's ultimately not up to Vlad. If the law declares email addresses are PII, they're PII.

      If he's positioning his company to challenge that law when he runs afoul of it, that's a choice they can make but it's a business risk (and IANAL, but... Probably one they'll lose).

    • >If a business is really GDPR compliant, it will offer a download option for stuff like user settings and so on.

      I've made a bunch of SAR's, including pre-GDPR and I've never received one that contained my user settings, so that seems pretty normal.

      The whole PII convo seems incredibly asinine though, "PII" is not a thing in the GDPR. Personal data is[1], but that's not the same thing.

      If Kagi keep a record of searches performed by a user, that's something that a SAR should be used for, but the whole convo just misses the mark entirely.

      [^1]: See article 4.1 https://gdpr-info.eu/art-4-gdpr/

      1 reply →